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Abstract 

In this note we give a precise formulation of "resistance to arbitrary side information" and show 
that several relaxations of differential privacy imply it. The formulation follows the ideas originally 
due to Dwork and McSherry, stated implicitly in ||4l. This is, to our knowledge, the first place such a 
formulation appears explicitly. The proof that relaxed definitions (and hence the schemes of lf5l[T0ll9l) 
satisfy the Bayesian formulation is new. 

1 Introduction 

Privacy is an increasingly important aspect of data publishing. Reasoning about privacy, however, is fraught 
with pitfalls. One of the most significant is the auxiliary information (also called external knowledge, back- 
ground knowledge, or side information) that an adversary gleans from other channels such as the web, public 
records, or domain knowledge. Schemes that retain privacy guarantees in the presence of independent re- 
leases are said to compose securely. The terminology, borrowed from cryptography (which borrowed, in 
turn, from software engineering), stems from the fact that schemes which compose securely can be designed 
in a stand-alone fashion without explicitly taking other releases into account. Thus, understanding inde- 
pendent releases is essential for enabling modular design. In fact, one would like schemes that compose 
securely not only with independent instances of themselves, but with arbitrary external knowledge. 

Certain randomization-based notions of privacy (such as differential privacy |l6l) are believed to com- 
pose securely even in the presence of arbitrary side information. In this note we give a precise formulation 
of this statement. First, we provide a Bayesian formulation of differential privacy which makes its resistance 
to arbitrary side information explicit. Second, we prove that the relaxed definitions of 15] |9l still imply the 
Bayesian formulation. The proof is non-trivial, and relies on the "continuity" of Bayes' rule with respect 
to certain distance measures on probability distributions. Our result means that the recent techniques men- 
tioned above ID El [TOl 13 can be used modularly with the same sort of assurances as in the case of strictly 
differentially-private algorithms. 

1.1 Differential Privacy 

Databases ai^e assumed to be vectors in for some domain V. The Hamming distance (i(x, y) on P" is 
the number of positions in which the vectors x, y differ We let Pr[-] and E[-] denote probability and expec- 
tation, respectively. Given a randomized algorithm A, we let ^(x) be the random variable (or, probability 
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distribution on outputs) corresponding to input x. If P and Q are probability measure on a discrete space D, 
the statistical difference (a.k.a. total variation distance) between P and Q is defined as: 

SD(P,Q) = max|P[5] -Q[S)|. 

Definition 1.1 (e-differential privacy ||6l). A randomized algorithm A is said to be e-differentialy private if 
for all databases x, y G at Hamming distance at most 1, and for all subsets S of outputs 

Pr[^(x) eS]<e^ Pr[^(y) G S]. (1) 

This definition states that changing a single individual's data in the database leads to a small change in 
the distribution on outputs. Unlike more standard measures of distance such as total variation (also called 
statistical difference) or Kullback-Leibler divergence, the metric here is multiplicative and so even very 
unlikely events must have approximately the same probability under the distributions w4(x) and ^(y). This 
condition was relaxed somewhat in other papers 13] |7] [T] IH HI [TOl |3- The schemes in all those papers, 
however, satisfy the following relaxation IH : 

Definition 1.2 ((e, 5) -differential privacy). A randomized algorithm A is (e, 6) -differentially private if for all 
databases X, y £ that differ in one entry, and for all subsets S of outputs, Pr[^(x) G 5] < e'^Pr[^(y) G 
S]+5. 

The relaxations used in IT) [Tl |9l were in fact stronger (i.e., less relaxed) than Definition 11.11 One 
consequence of the results below is that all the definitions are equivalent up to polynomial changes in the 
parameters, and so given the space constraints we work only with the simplest notionQ 



2 Semantics of Differential Privacy 

There is a crisp, semantically-flavored interpretation of differential privacy, due to Dwork and McSherry, 
and explained in lH: Regardless of external knowledge, an adversary with access to the sanitized database 
draws the same conclusions whether or not my data is included in the original data, (the use of the term 
"semantic" for such definitions dates back to semantic security of encryption ||8l). In this section, we develop 
a formalization of this interpretation and show that the definition of differential privacy used in the line of 
work this paper follows ( 111 111 SI 0) is essential in order to satisfy the intuition. 

We require a mathematical formulation of "arbitrary external knowledge", and of "drawing conclu- 
sions". The first is captured via a prior probability distribution b on I?" (6 is a mnemonic for "beliefs"). 
Conclusions are modeled by the con^esponding posterior distribution: given a transcript t, the adversary 
updates his belief about the database x using B ayes' rule to obtain a posterior b: 



im - P^^t-^^") = (2) 

'^"E,Pr[^(y) = tMy]- ^ ^ 

Note that in an interactive scheme, the definition of A depends on the adversary's choices; for legibility 
we omit the dependence on the adversary in the notation. Also, for simplicity, we discuss only discrete 
probability distributions. Our results extend directly to the interactive, continuous case. 



'That said, some of the other relaxations, such as probabilistic differential privacy from (51, might lead to better parameters in 
Theorem 123] 
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For a database x, define x_j to be the same vector where position i has been replaced by some fixed, 
default value in D. Any valid value in D will do for the default value. We can then imagine n + 1 related 
games, numbered through n. In Game 0, the adversary interacts with ^(x). This is the interaction that 
actually takes place between the adversary and the randomized algorithm A. In Game i (for 1 < i < n), the 
adversary interacts with ^(x_i). Game i describes the hypothetical scenario where person i's data is not 
included. 

For a particular belief distribution b and transcript t, we can then define n + 1 a posteriori distributions 
bo, ... , bn, where the bo is the same as b (defined inO and, for larger i, the i-th behef distribution is defined 
with respect to Game i: 

Pr[^(x_i) = t]b[x] 



bi[x\t] 



Given a particular transcript t, the privacy has been breached if the adversary would draw different 
conclusions about the world and, in particular, about a person i depending on whether or not z's data was 
used. It turns out that the exact measure of "different" here does not matter much. We chose the weakest 
notion that applies, namely statistical difference. We say there is a problem for transcript t if the distributions 
bo lit] and bi [• |t] are far apart in statistical difference. We would like to avoid this happening for any potential 
participant. This is captured by the following definition. 

Definition 2.1 (e-semantic privacy). A randomized algorithm A is said to be e-semantically private if for all 
belief distributions b on T)^,for all databases x G T)^,for all possible transcripts t, and for all i = 1, . . . ,n: 

SD (6o[x|t], k[x\t]) <e. 

Dwork and McSherry proposed the notion of semantic privacy, informally, and observed that it is equiv- 
alent to differential privacy. We now formally show that the notions of e-differential privacy (Definition ll.il ) 
and e-semantic privacy (Definition 12. II ) are very closely related. 

Theorem 2.2. (Dwork-McSherry) e-differential privacy implies e-semantic privacy, where e = e*" — 1. e/2- 
semantic privacy implies 2e-differential privacy. 

We extend the previous Bayesian formulation to capture situations where bad events can occur with 
some negligible probability (say, 5). We relax e-semantic privacy to (e, 5)-semantic privacy and show that it 
is closely related to (e, (^) -differential privacy. 

Definition 2.3 ((e, (^)-semantic privacy). A randomized algorithm is {e,5)-semantically private if for all 
belief distributions b on "D", with probability at least 1 — 5 over pairs (x, t), where the database x is drawn 
according to b, and transcript t is drawn according to w4(x), and for alii = 1, . . . , n." 

SD (5o[x|t] , 6i[x|t] ) < e. 

This definition is only interesting when e > 5; otherwise just use statistical difference 25 and leave 
e = 0. Below, we assume e > 5. \n fact, in many of the proofs we will be assuming that 5 is a negligible 
function (of 0(l/n^)). In Appendix A, we provide another related definition of (e, (5)-semantic privacy. 

Theorem 2.4 (Main Theorem). ( e,5)-differential privacy implies (e', 5')-semantic privacy for arbitrary (not 
necessarily informed) beliefs with e' = e^*^ — 1 + 2^/5 and 5' = 0{nV5). (e/2, 5)-semantic privacy implies 
(2e, 25) -differential privacy with e = — 1. 
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3 Some Properties of (e, (5) -Differential Privacy 

We now describe some properties of (e, 5) -differential privacy that would be useful later on. This section 
could be of independent interest. Instead of restricting ourselves to outputs of randomized algorithms, we 
consider a more general definition of (e, (5) -differential privacy. 

Definition 3.1 ((e, (5)-indistinguishability). Two random variables X, Y taking values in a set D are (e, 6)- 
indistinguishable if for all sets S D, 

Pr[X G 5] < Pr[y G S] + 6 and Pi[Y G S] < Pv[X € S] + 6. 

We will also be using a simpler variant of (e, 5)-indistinguishability, which we call point-wise (e, 6)- 
indistinguishability. Claim [331 (Parts [T] and l2l) shows that (e, (5)-indistinguishability and point-wise (e,(5)- 
indistinguishability are almost equivalent. 

Definition 3.2 (Point-wise (e, 5)-indistinguishability). Two random variables X and Y are point-wise (e, 6)- 
indistinguishable if with probability at least 1 — 5 over a drawn from either X or Y, we have: 

e-^Pr[F = a] < Pr[X = a] < e"Pr[y = a]. 

Claim 3.3. The following are useful facts about indistinguishability^ 

1. IfX, Y are point-wise (e, 6) -indistinguishable then they are (e, 6)-indistinguishable. 

2. IfX, Y are (e, 6)-indistinguishable then they are point-wise (2e, ^)-indistinguishable. 

3. Let X be a random variable on D. Suppose that for every a (z D, A{a) and A' (a) are (e,5)- 
indistinguishable (for some randomized algorithms A and A'). Then the pairs {X,A{X)) and 
{X,A'{X)) are {e, 6) -indistinguishable. 

4. Let X be a random variable. Suppose with probability at least 1—5 over a *^ X {a drawn from X), 
A{a) and A' {a) are (e, 5) -indistinguishable (for some randomized algorithms A and A'). Then the 
pairs {X, A{X)) and {X, A!{X)) are {e,25)-indistinguishable. 

5. If X,Y are (e, 5) -indistinguishable and Q is some randomized algorithm, then Q{X) and Q(Y) are 
(e, 5) -indistinguishable. 

6. IfX, Y are (e, 5)-indistinguishable, then SD (X, Y) < e + (5, where e = — 1. 
Proof of Part\l\ Let Badhe the set of bad values of a, that is 

Bad = {a : Fr[X = a] < e"' Pt[Y = a] or Pr[X = a] > Pr[Y = a]}. 

By definition, Pv[X G Bad] < 5. Now consider any set S of outcomes. 

Pr[X eS]< Pr[X e S\ Bad] + Pr[X e Bad]. 

The first term is at most Pr[y G 5" \ Bad] < Pr[y G S]. Hence, Pr[X G S"] < Pr[y G S] + 5, as 
required. The case of Pi\Y G S] is symmetric. Therefore, X and Y are (e, (5) -indistinguishable. 



"A few similar properties relating to statistical difference were shown in 1111 . Note that (e, 5)-indistinguishability is not a 
metric, unlike statistical difference. But it does inherit some nice metric like properties. 
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Proof of Part^ Let S = {a : Fi[X = a] > e^^ Pr[y = a]}. Then, 

Fr[X G 5] > e^' Pr[y G 5] > e'{l + e) Pr[y G S] ^ Ft[X e S] - Pr[Y € S] > ee' Pr[Y G S]. 

Since, Fr[X G 5] — e'^Pr[y G 5] < 5, we mush have ee^Pr[y G 5] < 5. A similar argument when 
considering the set S' = {a : Fr[X = a] < e'"^^ Fr[Y = a]} shows that ee^ Fr[Y G S'] < 6. Putting both 
arguments together, Pr[y G U 5'] < 26/ (ee'^). Therefore, with probability at least 1 — 26/ {e'^e) for any a 
drawn from either X or y we have: e"^"^ Pr[y = a] < Pr[X = a] < e^*^ Pr[y = a]. 

Proof of Part\3\ Let {X,A{X)) and {X,A'{X)) be random variables on D >i E. Let S be an arbitrary 
subset of D X E and, for every a e D, define Sa = {b G E : (a, b) G S}. 

Fv[{X, A{X)) e S] < Pr[^(X) € Sa : X = a] Fr[X = a] 

< J2 Pr[^'(X) eSa : X = a]+6) Fr[X = a] 

< 6 + e'Fv[{X,A'{X)) € S]. 

By symmetry, we also have Fr[{X,A'{X)) e S] < 6 + Fi[{X,A{X)) G S]. Since S was arbitrary, 
{X,A{X)) and {X,A'{X)) are (e, (5)-indistinguishable. 

Proof of Part^ Let {X, A{X)) and {X, A'{X)) be random variables on L» x E^. Let T C -D be the set of 
a's for which A{a) < e'^A'{a). Now, let S be an arbitrary subset of D x E and, for every a ^ D, define 
Sa = {beE : {a,b)eS}. 

Ft[{X, A{X)) G S] < Pr[X ^T] + Y^ Ft[A{X) e Sa : X = a] Ft[X = a] 

aeT 

< 6+ J^(e^ Pr[^'(X) eSa : X = a]+6) Fr[X = a] 

aeT 

< 26 + e'Fi[{X,A'{X)) e S]. 

By symmetry, we also have Fi[{X , A' {X)) £ S] < 26 + Fv[{X,A{X)) G S]. Since S was arbitrary, 
{X,A{X)) and {X,A'{X)) are (e, 2(5)-indistinguishable. 

Proof of Part \5\ Let D be some domain. A randomized procedure Q is a. pair Q = {g, R), where i? is a 
random variable on some set E and g is a. function from D x E to any set F. If X is a random variable on 
D, then G{X) denotes the random variable on F obtained by sampling X R and applying g to the result, 
where the symbol denotes the tensor product. Now for any set S C F, 

Pr[e?(X) G S]-e'Fr:[g(Y) G S] 
= FT[g{X ®R)e S]-e' FT[g{Y R) e S] 
= Pr[X®i?G g~^{S)]-e'Fi[Y^R€ g~^{S)] 

< Fv[X eSr : R = r] Pr[i? = r] - ^ Pr[y G 5,. : R = r] Pv[R = r] 

reE reE 

= J^(Pr[X e Sr : R = r]- e'Fr[Y G 5^ : i? = r]) Fr[R = r] 

reE 

< ^5Pr[i? = r] = (5. 

reE 
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By symmetry, we also have Fr[g{Y) £ S] - Pr[^(X) £ S] < 5. Since S was arbitrary, g{X) and g{Y) 
are (e, 5) -indistinguishable. 

Proof of Part\6\ Let X and Y be random variables on D. By definition SD (X, y) = max-scD \ Pt[X E 
5] - Pr[y e For any set S C D, 

2|Pr[X G 5] - Pr[y G S]| 
= |Pr[X eS]- Pr[Y G 5]| + \Pr[X <^ S] - Pr[Y ^ S]\ 



^{Pr[X = c] - Pr[y = c]) 



CG5 



^(Pr[X = c] -Pr[y = c]) 



< ^ |Pr[X = c] - Pr[y = c]| + ^ |Pr[X = c] - Pr[F = c] 



= ^|Pr[X = c]-Pr[y = c]| 

cG-D 

< ^(e" Pr[y = c\ + 6- Pr[Y = c]) + ^(e' Pv[X = c] + 6 - Pr[X = c]) 

cGD cGD 

= 25 + {e' - 1) 5^ Pr[y = c] + (e^ - 1) Pr[^ = c] 



cGD 

2(e'-l) + 25 = 2e + 2(5. 



cGD 



This implies that | Pr[X G S] — Pr[F G S*]] < e + S. Since the above inequality holds for every S C D,it 
immediately follows that the statistical difference between X and Y is at most e + 6. □ 



4 Proofs of Theorems 2.2 and 2.4 



This section is devoted to proving Theorems I2.2l and l24l For convenience we restate the theorem statements. 

Theorem 12.21 (Dwork-McSherry). e-differential privacy implies e-semantic privacy, where e = — 1. 
e/2-semantic privacy implies 2e-differential privacy. 

Proof. Consider any database x. Consider belief distributions 6o[x|t] and 6i[x|t]. differential privacy implies 
that the ratio of 6o[x|t] and 6i[x|t] is within e^*^ on every point, i.e., for every i and for every possible 
transcript t: 

e-%W] < 5o[x|t] < e%[^\t]. 

In the remainder of the proof we fix i and t. Substituting (5 = in Claim 13.31 (part [6l), implies that 

SD (5o[x|t],6i[x|t]) =e. 

To see that e-semantic privacy implies 2e-differential privacy, consider a belief distribution b which is 
uniform over two databases x, y which are at Hamming distance of one. Let i be the position in which x 
and y differ. The distribution bi[-\t] will be uniform over x and y since they induce the same distribution on 
transcripts in Game i. This means that [" I will assign probabilities l/2ibe/2to each of the two databases 
(follows from e-semantic privacy definition). Working through Bayes' rule shows that 

Pr[^(x) =t] _ Pr[5o[x|t] = x] ^ ^(1 + e-) ^ 
Pr[^(y) = i] Pr[6o[y|t]=x] " i(l - e") " ' 
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This implies that A is point-wise 2e-differentialy private. Using Claim [331 (pai't [T]). implies that A is 2e- 
differentialy private. □ 

We will use the following lemma to establish connections between (e, 5)-differential privacy and (e, 6)- 
semantic privacy. Let B\A=a denote the conditional distribution of B given that A = a for jointly distributed 
random variables A and B. 

Lemma 4.1 (Main Lemma). Suppose two pairs of random variables {X, A{X)) and {Y, A'{Y)) are (e, 6)- 
dijferentialy private (for some randomized algorithms A and A'). Then with probability at least 1 — 5" 
over t <— A{X) (equivalently t ^ A'{Y)), the random variables X\j^^^x)=t ^\A'{Y)=t '^^^ {^^^)' 
differentialy private with e = 3e, (5 = 2^f5, and 5" = y/6 + ^ = 0(\/^)- 

Proof Let {X,A{X)) and {Y,A'{Y)) be random variables on D x E. The first observation is that A{X) 
and A{Y) are (e, (5)-differentialy private. To prove that consider any set P G E, 

Pi[A{X) G P] = Pr[(X, A{X)) eDx P]<e' Pr[{Y, A'{Y)) e D x P] + 6 
= e'Pv[A'{Y) e P] + 6. 

Since P was arbitrary, A{X) and A'{Y) are (e, (5) -differentialy private. In the remainder of the proof, we 
will use the notation X\t for X\^(^x)=t ^rid Y\t for y|^'(y)=t. Define, 

Bado = {a : e-^'Pi[A'[Y] = a] > Fi[A{X) = a] > e'^'Pr[A'[Y] = a]} 
Badi = {a -.^ScD such that Pi[X\a eS]> Pr[y|a G 5] + <5} 
Bad2 = {a -.^ScD such that Pr[y|a eS]> e^"Pr[X|a G 5] + 5]. 

We need an upper bound for the probabilities Pr[^(X) G Badi U Bad2] and Pr[yl'(y) G Badi U Bad2]- 
We know from Claim [33] (part 13, that 

9A OA 

Pt[A{X) G Bado] < — and Pr[^'(y) G Bado] < —■ 

Note that from the initial observation A{X) and A'{Y) are (e, 5)-differentialy private, therefore the condi- 
tion required for applying Claim [33] (part |2l) holds. Now define, 

Bad'i = Badi \ Bado and Bad'2 = Bad2 \ Bado. 

For each a G Bad[ andT C D x E, define Sa = {b e D : (6, a) G T}. Define Ti = Sa x UaeBad'J"}- 

Pi[{X,A{X)) G Ti] = ^ ^'^ '■ ■^(^) = «] = a] 

> Yl ^ ■ ^'(^) = a] + <5) Pr[AiX) = a] 

= Yl ^ • -^'(^) = = a] + (5 Pr[^(X) = a] 

a(iBad\ adBad'^ 

= Y ^ : "^'(^) = Pr[^'(>") = a] +5Vy[A{X) G Pad'i] 

= e^Pr[(y,^'(y)) G Ti] + 5Pr[^(X) G Bad!^]. 
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The inequality follows because of the definition of Bad[. By (e, 5) -differential privacy, Ft:[{X,A{X)) S 
Ti] < e'Fr[{Y,A{X)) G Ti]+6. Therefore, 

6Pr[A{X) G Bad[] <6^ Pv[A{X) G Bad[] < 5/5. 

Similarly, Fv[A{X) G < 5/5. Finally, 

Pt[A{X) G Sadi U Bad2] < Pr[A{X) G Sado] + Pr[A{X) G Sa^] + Pr[^(X) G 5a4] 

= — + ^ + = — + V5. 

ee' 5 5 ee^ 

By symmetry, we also have Pr[^'(y) G Badi U Bad2] < ^ + V5- Therefore, with probability at least 
1 — 5", X\t and Y\t are (e, 5)-differentialy private. □ 

The following corollary follows by using the above proposition (with Y = X) in conjunction with 
Claim[33](partl6l). 

Corollary 4.2. Let (X,A{X)) and {X,A'{X)) be {e, 5)-differentialy private. Then, with probability at 
least 1 — 5" over t <— A{X) (equivalently t <— A'{X)), the statistical difference between -Y|^(x)=t '^'^^^ 
X\y^i(^x)=t most 6*^ — 1 + 15 with e = 3e, 5 = 2^/5, and 5" = 0{\'^). 

Theorem 12.41 (e,5)-differential privacy implies {e' ,5')-semantic privacy for arbitrary (not necessarily in- 
formed) beliefs with e' = e^'^ — 1 + 2\/5 and 5' = 0{nV5). {e/2,5)-semantic privacy implies {2e,25)- 
differential privacy with e = — 1. 



Proof. Let yl be a (e, (5)-differentialy private algorithm. Let b be any belief distribution. From Claim 
(pait[3]l, we know that {b,A{b)) and {b,Ai{b)) are (e, (5)-differentialy private. Let 5" = 0{V5). From 
Corollary I4.2[ we get that with probability at least 1 — 5" over t <— A{b), the statistical difference between 
b\A{b)=t ^rid is at most e'. Therefore, for any x <— 6, with probability at least (1 — 5") over t <— 

^(x), SD (6|^(x)=t) b\Ai{x)=t) ^ e'- Taking union bound over all coordinates i, implies that for any x <— 6 
with probability at least 1 — n5" over t <— A{b), for alH = 1, . . . , n, we have SD (6|^(x)=t) ^|^,(x)=t) ^ 
Therefore, A satisfies (e', y)-semantic privacy for b. Since b was arbitrary, we get that (e, (5)-differential 
privacy implies (e', 5')-semantic privacy. 

To see that (e/2, 5)-semantic privacy implies (2e, 25) -differential privacy, consider a belief distribution 
b which is uniform over two databases x, y which ai^e at Hamming distance of one. The proof idea is same 
as in Theorem l2.2[ Let i be the position in which x and y differ. 

Let A be an algorithm that with probability 1/2 draws an output from ^(x) and with probability 1/2 
draws an output from ^(y). Consider a transcript t drawn from A. The distribution bi[-\t] will be uniform 
over x and y since they induce the same distribution on transcripts in Game i. This means that with prob- 
ability at least 1 — 5 over t ^ A, bo[-\t] will assign probabilities 1/2 it e/2 to each of the two databases. 
Working through Bayes' rule as in Theorem l2.2l shows that A is point-wise (2e, 5)-differentialy private (with 
probability at least at least 1 - 25 of t ^ ^(x), e'^" Pr[^(y) = t] < Pr[^(x) = t] < e^^ Pr[^(y) = t]). 
Therefore, with probability at least 1 - 5 of i ^ A, e"^' Pr[^(y) = t] < Pr[^(x) = t] < e2'Pr[^(y) = t]. 
Similarly, for t <— A{j). This implies that A is point-wise (2e, 25)-differentialy private. Using Claim [331 
(part[T]), implies that A is (2e, 25)-differentialy private. □ 
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5 Discussion and Consequences 



Theorem 12.41 states that the relaxations notions of differential privacy used in some previous work still imply 
privacy in the face of ai^bitraiy side information. This is not the case for all possible relaxations, even 
very natural ones. For example, if one replaced the multiplicative notion of distance used in differential 
privacy with total variation distance, then the following "sanitizer" would be deemed private: choose an 
index i G {1, . . . , n} uniformly at random and publish the entire record of individual i together with his 
or her identity (example 2 in lH). Such a "sanitizer" would not be meaningful at all, regai^dless of side 
information. 

Theorems 12.41 and A.3 give some qualitative improvements over existing security statements. Theorem 
A. 3 implies that the claims of 13] |7l [11 can be strengthened to hold for all predicates of the input simul- 
taneously (a switch in the order of quantifiers). The strengthening does come at some loss in pai^ameters 
since d is increased. This incurs a factor of 2 in log (^), or a factor of \/2 in the standard deviation. More 
significantly. Theorem 12.41 shows that noise processes with negligible probability of bad events have nice 
differential privacy guarantees even for adversaries who are not necessarily informed. There is a hitch how- 
ever only adversaries whose beliefs somehow represent reality, i.e. for whom the real database is somehow 
"representative" of the adversary's view can be said to learn nothing. 

Finally, the techniques used to prove Theorem 12.41 can also be used to analyze schemes which do not 
provide privacy for all pairs of neighboring databases x and y, but rather only for most such pairs (remember 
that neighboring databases are the ones that differ in one entry). Specifically, it is sufficient that those 
databases where the "differential privacy" condition fails occur only with small probability. 

Theorem 5.1. Let Abe a randomized algorithm^. Let 

<S = {x : V neighbors y o/x, ^(x) and A{j) are (e, 5)-dijferentialy private}. 

Then A satisfies {e' ,6') -semantic privacy for any belief distribution b such that h[£] = Prx^b[x G <S] > 1 — 5 
with e' = e^^ - 1 + 2^/5 and 6' = 0{nVS). 

Proof Let 6 be a belief distribution with b[£] > I - 5. Let 5" = 0{VS). From Claim [33] (part Hi, 
we know that {b,A{b)) and {b,Ai{b)) are (e, 2(5)-differentialy private. From Corollary I4.2[ we get that 
with probability at least 1 — 6" over t <— A{b), the statistical difference between 6|_4(b)=t and 6|^.(;,)=t 
is at most e'. Therefore, with probability at least (1 — 6") over pairs (x, t) where x <— 6 and t <— 
^(x), SD (^|yi(x)=ti &|y!ii(x)=t) ^ s'- Taking union bound over all coordinates i, implies that with prob- 
ability at least 1 — n6" over pairs (x, t) where x <— 6 and t <— ^(x), for all i = 1, . . . we have 
SD (&|yi(x)=ti &|^i(x)=t) < s'- Therefore, A satisfies (e', 5')-semantic privacy for belief distribution b. □ 

Let LSf{-) denote the local sensitivity of function / (defined in liOl ). Let Lap{\) denote the Laplacian 
distribution. This distribution has density function h{y) oc exp(— |?/|/A), mean 0, and standard deviation A. 
Using the Laplacian noise addition procedure of 16] [13, along with Theorem 15. II we get, 

Corollary 5.2. Let iS = {x : LSf{x) < s}. Let A{x) = /(x) + Lap (|). Let bbe a belief distribution such 
that b[£] = Prx^b[x £] > 1 — 5. Then A satisfies [e' ,5')-semantic privacy for the belief distribution b 
with e' = e^' -1 + 2V^ and S' = 0{nV6). 
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Appendix A: Another View of Semantic Privacy 

In this section, we discuss another possible definition of (e, (5)-semantic privacy. Even though this definition 
seems to be the more desirable one, it also seems hard to achieve. 

Definition A.l (reality-oblivious (e, (5)-semantic privacy). A randomized algorithm is reality-oblivious (e, 5)- 
semantically private if for all belief distributions b on P", for all databases x G D", with probability at least 
1 — 5 over transcripts t drawn from ^(x), and for all i = 1, . . . ,n: 

SD (6o[x|t] , k[x\t] ) < e. 

We first prove if the adversary has arbitrary beliefs, then (e, (^) -differential privacy doesn't provide any 
reasonable reality-oblivious (e', 5')-semantic privacy guarantee. 
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Theorem A.2. l^fe, 6)-differential privacy does not imply reality-oblivious (e', S')-semantic privacy for any 
reasonable values of e' and 6'. 

Proof. This counterexample is due to Dwork and McSheiTy: suppose that the belief distribution is uniform 
over {(0"), (1, 0"~^)}, but that real database is (1"). Let the database x = (xi, . . . , Xn)- Say we want to 
reveal /(x) = X^jXj. Adding Gaussian noise with variance cr^ = log (|) /e^ satisfies (e, 5)-differential 
privacy (refer [TOl for details). However, with overwhelming probability the output will be close to 
n, and this will in turn induce a very non-uniform distribution over {(0"), (1,0"^^)} since (1,0"~^) is 
exponentially (in n) more likely to generate a value near n than (0"). More precisely, due to the Gaussian 
noise added, 

Pr[^(x) = n I X = (0")] _ 6^P(^) _ /-2n+l\ 
Pr[^(x) = n|x = (1,0-1)] - exp(-("-^)^) " """^ \~^^ J ' 

Therefore, given that the output is close to n, the posterior distribution of the adversary would be exponen- 
tially more biased toward (1, 0"~i) than (0"). Hence, it is exponentially far away from the prior distribution 
which was uniform. On the other hand, if the adversary believes he is seeing ,A(x_i), then no update 
will occur and the posterior distribution will remain uniform. Since the posterior distributions in these 
two situations are exponentially far apart (one exponentially fai^ from uniform, other uniform), it shows that 
(e, (5)-differential privacy does not imply any reasonable guarantee on reality-oblivious semantic privacy. □ 

However, (e, (5)-differential privacy does provide a strong reality-oblivious (e', (5')-semantic privacy 
guarantee for informed belief distributions. Using terminology from 111161, we say that a belief distribu- 
tion b is informed if b is constant on n — 1 coordinates and agrees with the database in those coordinates. 
This corresponds to the adversary knowing some set of n — 1 entries in the database before interacting with 
the algorithm, and then trying to learn the remaining one entry from the interaction. Let Ai be a randomized 
algorithm such that for all databases x, ^i(x) = ,A(x_j). 

Theorem A.3. (e, 5)-differential privacy implies reality-oblivious (e', 5')-semantic privacy for informed be- 
liefs with e' = e^^-l + and 6' = 0{n\^)^ 

Proof. Let Abe, a. (e, 5)-differentialy private algorithm. Let x be any database. Let b be any informed 
belief distribution. This means that b is constant on all n — 1 coordinates, and agrees with x in those 
n — 1 coordinates. Let i be the coordinate which is not yet fixed in b. From Claim [33] (part [3l). we know 
that {b,A{b)) and {b,Ai{b)) are (e, 5)-differentialy private. Therefore, we can apply Lemma l4~n Let 
6" = 0{V6). From Corollary 14.21 we get that with probability at least 1 — 6" over t ^ A{b), the statistical 
difference between and is at most e'. Therefore, for x, with probability at least (1 — 5") 

over t <— ^(x), SD (fo|yt(x)=ti ^|yi,(x)=i) ^ Taking union bound over all coordinates i, implies that with 
probability at least 1 — n6" over t <— ,A(x), for alH = 1, . . . , re, we have SD (6|_4(x)=t, &|yij(x)=t) < e'- 
Therefore, A satisfies reality-oblivious (e', 5') -semantic privacy for b. Since x was arbitrary, we get that 
(e, (^)-differential privacy implies reality-oblivious (e', (5') -semantic privacy for informed beliefs. □ 



''Note that adversaries whose belief distribution is very different from the real database (as in the counterexample of Theorem 
A. 2 may think they have learned a lot. But does such "learning" represent a breach of privacy? We do not think so, but leave the 
final decision to the reader. 

Reality-oblivious (e/2, (5)-semantic privacy implies (2e, 25)-differential privacy with e — e"^ — 1. For details see the proof of 
Theorem l2.4l 
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